GNSC Blog

Most of the time when people think of China and computers two things come to mind; hackers and a heavy-handed government.  However this year there is a third category; the Olympics. 

As has become common with all major sporting events, this year’s Olympic games are being streamed on the Internet. NBCOlympics.com This means your employees will be enjoying swimming, track and field and other exciting events on company time.  Not only that, the additional bandwidth will slow down everything on the network.

Not convinced?  Well we weren’t either until two years ago when some our customer’s Internet service came to a grinding halt during “March Madness”.  Then same thing happened in 2007.  Last March, we noticed slowness again; but not to the extent we did in March 2006 and 2007.

So what’s the solution?   The solution is simple, use a smart web filter and prioritize your Internet traffic.  The filter will keep your employees off the sites you don’t want them on during the business day.  Prioritization ranks protocols and caps their overall bandwidth, making streaming media a lower priority.

The Cymphonix Network Composer solution is a great way for any business to affordably do this.  We’ve had customers install these units and as a result defer the cost of additional bandwidth for over a year which paid for the cost of the unit in less than 4 months.  We offer them on free 30 day trials to our customers.  Now would be a great time to see how well they work.  Contact us today.

One of the most effective ways to enhance email security is to use encryption.  Encryption in theory makes the email unreadable by anyone other the sender and receiver.  The downside is that there are few easy ways to add encryption to email without adding a third-party product like MailMarshal Secure Email Server, CertifiedMail, Borderware or PGP.  These are all great products and do an excellent job of keeping your email secure.  But they cost $$$. 

There is an easy way to add a simple level of encryption to your email without going through the expense of installing and configuring a full featured encryption solution.  It’s called TLS, Transport Layer Security.  TLS is essentially SSL for email.  What it does is create a secure channel through which email can be sent and received between servers and clients.  In most cases, it’s a matter of “turning it on” since it’s already a feature in most mail servers and email clients. 

What does TLS give you?

TLS provides a level of security as your mail is transmitted through the Internet.  It’s like creating a tunnel between you and the mail server as you exchange mail.  It makes it harder to snoop on your mail as it moves across the dozens of connections on the Internet. 

What doesn’t TLS give you? 

TLS does not provide security beyond the connection layer.  That means that if you are sending an email to person A’s email server,  beyond the server, there is no encryption.  Someone in Person A’s company can still snoop on it. 

So, TLS is something everyone should consider.  It’s just a wise option.  If you need more than TLS, for example if you are sending sensitive information or are required by law to have encrypted email, give us a call.  We have several solutions that can be matched to your business needs.

Bill Brenner from CSO Magazine recently wrote the following:

“In the wake of a data breach, the company’s top brass may go looking for someone to blame. If you are the security chief, chances are it’s going to be you.

It doesn’t matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you’ll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company’s security holes.

One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn’t following best practices and was making reporting discrepancies,” says Moraetes, an independent consultant. “The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons.”

The moral of the story…If you’re in charge of security at your company, whether you have 5 employees or 5000, you should have a documented best practices policy and procedures manual that is audited for compliance.  Your job is at risk as the precident has already been established.

Best practices are free.   You just need to follow them.  What are they?  Well a good place to start is the SANS Institute  www.sans.org.  This group puts out quality material, much of it available to the general public.  They have some good starter guides if you want to get started with best practices.

Also, the NIST Manual from our July 23 posting is another good manual with good measurement metrics.

You can also use security comsultants with CISSP or GIA certifications to help establish and audit them.

Phishing kits, which include the tools necessary to duplicate common websites along with the scripts to steal information submitted by phishing victims are widely available on the Internet but they are boobytrapped.

About 40% of these so called ”kits” are designed to steal whatever information the phishers catch and then send the info back to the makers of the “kits”.

It appears now that phishers are using Darwinian principles to become richer: big fish eating little phish with only the strongest surviving.

How can you avoid being a victim of phishing?  Norman Data Defense suggests three reasons why people are fooled into this:

1. Lack of Knowlege - most people are unaware of the risk
2. Visual Deception - most phishing sites or emails look official
3. Lack of Attention to Security Indicators - we don’t pay attention to the little “lock icons” on our browsers or warnings on SSL Certs

What should you do?

Use these three categories above when you visit a site, even if you type it in your browser yourself. 

1. Remember you can be duped easily by a slip of the finger.  Check your spelling.  Another form of trickery through browser redirection and a DNS exploit can make something phoney look real.
2. Know your site.  If you frequent sites and they’ve changed or look different, check it out first.  Don’t just assume it’s a new layout.  Sometimes this can be a clue something’s wrong. 
3. Don’t just buy from anyone on the Internet.  Just because they have the best price, doesn’t mean they’re the best.  If some item is priced way lower than everyone else, you should be suspicious.   Only buy from reputable companies you know.  A quick check of a website is a dead giveaway.  If the company lists no street or mailing address but only an email address or webform in the Contact Us section, stay away.
4. Never visit an ecommerce or banking site with a SSL Cert, that’s invalid.  Companies with certs keep them updated and valid.  Sometimes they legitimately expire unknowingly.  Just call the company to tell them an ask what’s up.  Chances are they’ve received other calls about it.  If not, you’re helping them out.
5. Look for the lock on your browser when an SSL session is established.  Get familiar with the Cert.  You can find out quite a bit of info from that little lock icon. 
6. If something smells “phishy” don’t eat it.  Call the company and ask what’s up. 
7. Finally, and not to be a commercial for PayPal, use PayPal whenever you can as long as it’s really PayPal and not a Phisher.  With real PayPal, if someone scams you on a purchase, they get you once.  If you give your credit card, they have your number and can run it up.

Art Costigan, Information Security Analyst at GNSC will be featured in an article on hard disk security in the October edition of Popular Mechanics Magazine.  It will be on news stands in mid September.